Skip to content

Configure Azure Consumption(Billing) inputs for the Splunk Add-on for Microsoft Cloud Services

Configure your inputs on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder. You can configure inputs using Splunk Web, which is a best practice.

Prerequisites

Before you enable inputs, complete the following steps in the configuration process:

Note

The Azure Consumption(Billing) input for the Splunk Add-on for Microsoft Cloud Services is not compatible with Azure Reservation Recommendation and Azure Billing and Consumption inputs in the Microsoft Azure Add-on for Splunk.

Note

The Azure Consumption (Billing) input for the Usage Details data type collects data until one day prior to the current UTC time at every interval invocation.

Configure inputs using Splunk Web

Configure your inputs using Splunk Web on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In the Splunk Add-on for Microsoft Cloud Services, select Inputs.
  2. Select Create New Input and then select Azure Consumption(Billing).

  3. Enter the following:

    • Name
    • Azure App Account
    • Subscription ID
    • Data Type
    • Interval
    • Index
    • Sourcetype
    • Max days to query
    • Start Date

Use the information in the following Input parameters table.

Configure inputs using configuration files

Configure your inputs using the configuration files on the Splunk platform instance responsible for collecting data for this add-on, usually a heavy forwarder.

  1. In your Splunk platform deployment, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_microsoft-cloudservices/local.
  2. Create a file named inputs.conf, if it does not already exist.

  3. Add the following stanza for consumption input:

    a. Input configuration for the Usage Details data type:

    [mscs_azure_consumption://<input_stanza_name>]
account = <value>
data_type = Usage Details
index = <value>
interval = 86400
query_days = <value>
sourcetype = mscs:consumption:billing
start_date = <value>
subscription_id = <value>

    b. Input configuration for Reservation Recommendation data type:

    [mscs_azure_consumption://<input_stanza_name>]
account = <value>
data_type = Reservation Recommendation
index = <value>
interval = 86400
sourcetype = mscs:consumption:reservation:recommendation
subscription_id = <value>

  4. Save and restart the Splunk platform.

Input parameters

Each attribute in the following table corresponds to a field in Splunk Web:

Attribute Corresponding Field in Splunk Web Description
input_stanza_name Name A friendly name for your input. Name cannot contain any whitespace.
account Azure Account The Azure App account from which you want to collect data. Name cannot contain any whitespace.
subscription_id Subscription ID The Azure Subscription ID.
data_type Data Type Data Types:

- Usage Details: To collect usage details data.
- Reservation Recommendation: To collect reservation recommendation data.

The default is Usage Details.
interval Interval The number of seconds to wait before the Splunk platform runs the command again. The default is 86400 seconds.
index Index The index in which to store Azure Consumption data.
sourcetype Sourcetype Select the respective sourcetype based on the configured Data Types:

- Usage Details: mscs:consumption:billing.
- Reservation Recommendation: mscs:consumption:reservation:recommendation.

The default is mscs:consumption:billing.
query_days Max days to query Specify the maximum number of days to query. The default is 10 days. Only visible and applicable when data type is Usage Details. When Usage Details data type is selected, each time this input runs a start date, it is calculated for the Usage Details API query.
The end date for the Usage Details API query is calculated as the start date plus the number of days specified by this parameter.
For example, if the calculated start date is 2022-01-01T00:00:00 (midnight on January 1, 2022), the end date for the query is 2022-01-11T00:00:00 if the Max days to query is 10 days.
start_date Start Date Select a Start Date to specify how far back to go when initially collecting data. The default is 90 days in the past. Only visible and applicable when data type is Usage Details.